Seriously, the FCC might still ban your operating system

Eric Schultz // Dec 9th, 2015

A few weeks ago Julius Knapp of the FCC responded to the furor in the free, libre and open source software communities related to the agency's proposed rules on banning WiFi device modification. In his response, he sought to reassure the community that their proposals will not restrict open source firmware on devices.

I'm heartened that the FCC seems to want to listen to the community's needs and I appreciate Mr. Knapp's response. Sadly though, I wish that the agency had listened to the substantive concerns of the community. In fact, despite the kind, collaborative words of the post, the underlying facts are the same: the FCC's proposal still likely bans open source, third-party firmware, as designed, and takes away all access to the radio software from users.

The response

It's important that we understand what exactly Mr. Knapp said in order to understand what changes have been made. I'll highlight important parts.

I'm pleased that this issue attracted considerable attention and thoughtful submissions into the record and would like to make it clear that the proposal is not intended to encourage manufacturers to prevent all modifications or updates to device software.

While intent is not meaningless, there's a reason the social justice community has the phrase "intent isn't magic." The definition, in short, is that the intent of the behavior is not nearly as important as the result. In this case, we don't even have to go very far to see that the result is just as bad as ever. In the second paragraph:

One of our key goals is to protect against harmful interference by calling on manufacturers to secure their devices against third party software modifications that would take a device out of its RF compliance.

For all of the reasons I've previously mentioned, requiring manufacturers to "secure their devices against third party software modifications that would take a device out of its RF compliance" is not a straightforward request. In fact, it will require using DRM-like technology on devices to prevent prevent users from taking a device out of RF compliance. Like all DRM, it is anti-user, anti-Free, Libre and Open Source Software (FLOSS) and anti-innovation.

There are a few changes referenced in the blog post that are seem positive at first but their changes are superficial at best. One part of the blog post that is remotely positive is the FCC's change to the previous guidance on U-NII, or 5Ghz router, rules. The FCC modified the guidance in order to take out a specific mention of banning DD-Wrt. Sadly, the change has no substantive improvement for users. The FCC makes very clear in their updated guidance that changes to software that control the RF parameters, including drivers, must be under the control of the manufacturer.

Another change to U-NII guidance says that there may be "agreements with a third-party" to allow replacement of software. But this only helps limited, very large third-parties with strong relationships with manufacturers. After all, a manufacturer is still required to explain to the FCC, in sufficient detail, that the modifications will keep the device in compliance. If they do not prevent those modifications, they could lose the ability to sell the device in the US. Why would a manufacturer take on that sort of risk by spreading the ability to modify the device software broadly?

My thoughts

The issue at hand with the FCC's proposal isn't whether users should run their devices in a manner outside of authorization: They most certainly should not. Instead, it's whether consumer owned devices should be under the control of users or under the control of manufacturers. The FCC's proposal in effect says deputizes manufacturers to make it more difficult for users to engage in a number of activities, most of which are legal. I support fairly punishing operators who operate a device in outside of authorization. But taking the decision on how a device functions away from a user is an extreme solution when it's unclear the problem even exists.

Perhaps most frustrating in the response from the FCC is that there is no acknowledgement that what they demand is anti-consumer and anti-user. Indeed, they haven't once publicly acknowledged the validity of the legal use cases that users have been concerned about being eliminating. The folks at the FCC are exceedingly educated; they're smart enough to know that you can't create software that says "always allow legal use-cases and always prevent illegal use-cases." Why they give such short shrift to valid use-cases and the principle of access to the public airwaves befuddles me.

Questions I don't have answers to (but would really like)

Since the response from the FCC has been so lackluster, I've created a set of questions. If the FCC moves forward on the current path of forcing device lockdown, the FCC should publicly answer these questions. This would provide users with some assurance that the FCC actually understands and appreciates the consequences of what they are proposing.

What mechanism exists for ham radio operators to modify a router in order to use RF parameters on routers which differ from the standard Part 15 parameters? If one exists, how will the FCC incentivize device manufacturers to support modification when this will inevitably add cost and risk the possibility of the device not being authorized by the FCC?

Will the FCC require manufacturers to continue updating RF parameters when the rules for Part 15 RF devices inevitably change? If not and the user can no longer modify the parameters, what recourse will users have? If the device is no longer in compliance, will the user/operator be liable for operating outside of authorization?

Currently, operators are liable for operating a device with RF parameters outside of authorization. If it is no longer possible for a Part 15 operator to modify the RF parameters of the device, will the operator no longer be liable for the substantial punishments for actions which they no longer can control? Will the manufacturers now be liable for fines for customer's operating outside of authorization since they are now fully responsible for the operating frequencies? If not, why not?

Wireless radio manufacturers rarely provide quality support for mesh networking even though the underlying hardware supports it. It falls on communities to add the functionality after release. What mechanism will the FCC use to guarantee mesh networking development and research can continue? Will radio manufacturers be required to support mesh networking upon release?

Right now, router manufacturers rarely update the devices they sell. Given the previous U-NII rules and the rules currently proposed, users would no longer be able to update the firmware controlling the wireless radio. If that is the case, how will the FCC guarantee that router manufacturers update the wireless radio for bugfixes or performance concerns over the usable life of the device?

Given our globalized world, Americans often take devices across borders into other regulatory domains. Americans wanting to be law-abiding global citizens must comply with the different rules of those regulatory. As mentioned by this servicemember, modifying the regulatory domain of a router is a cost-effective way to comply with local regulatory rules. What mechanism will exist for Americans traveling abroad to modify their devices in order to temporarily comply with the regulations of other countries?

Network research organizations expressed concern that restricting modification to the radio firmware would prevent them from testing for bugs, gauging performance and finding security holes. How will the FCC make sure these organizations can continue their important work?

In the public comments, at least one medical doctor expressed concern about transmitting medical information under the FCC's rules. In particular, he felt it was unnecessarily dangerous to patient privacy to transmit medical information across a consumer router where there was minimal ability to verify its secure operation. How will the FCC guarantee that consumers and patients can trust the privacy and security of the devices they run?

A plan to require manufacturers to operate against their customer's interest and hinder network research is rather ambitious. To take such a step would seem to indicate that customers modifying their devices to operate outside authorization is rampant. That said, a quick sample of enforcement actions indicate the FCC has taken limited actions against Part 15 users. How many Part 15 operators has the FCC initiated enforcement actions against? How many of those operators are non-commercial users? What percentage of operators have modified their device but operated in an entirely legal manner?

As a replacement to restricting device modification, has the FCC considered simply stepping up enforcement against violators? If considered, why was that plan not accepted? If not considered, why?

Given the limited enforcement actions, some commentators have felt that the FCC is attempting to get manufacturers to take on their enforcement responsibilities. What's the FCC's response to that?

Many users of computing devices have moral, ethical or practical reasons for preferring or only using software that they can modify for their own needs, also known as free, libre or open source software. The regulations, as written, would guarantee that some sort of software related to the wireless radio would not be modifiable by the user even if those modifications do not cause the radio to run outside of authorization. What cost/benefit analysis was done by the FCC to consider the interests of the FLOSS community versus the benefit to the FCC of simplifying enforcement?

Multiple comments and articles to the FCC encouraged the commission to reconsider their actions and work with the community of users, manufacturers, FLOSS developers and others to develop solutions that meet the needs of all. Given the response, it's clear that the fundamental flaws in your proposal continue to exist and do not meet the needs of any of those groups. What interactions has the FCC initiated with the community? Has the FCC proposed possible replacement regulation to the community to ask for their feedback? What events with FLOSS developers will the FCC be at to discuss this topic and address the valid concerns of this community?

Multiple comments asked that the FCC and the device community to educate users on the harm of operating outside of authorization as well as a voluntary program for third-party device software creators to ship with safe defaults. Wouldn't this meet many of the same interests of the FCC as the proposed rule?

One topic that came up in comments is that individual experimentation is key to American innovation. How will individuals develop new, more efficient radios and transmission protocols for Part 15 devices when they are no longer able to modify them?

In the proposed rule, the FCC indicated that they would continue to allow individuals to import a small number of devices for personal use. Under the the FCC's UNI-I rules and proposed rules, devices purchased inside the US would have fewer features (ability use FLOSS software, easier to experiment, usable in countries other than the US) than devices purchased outside the US. Has the FCC considered that such a rule puts devices marketed in the US at a competitive disadvantage?

While imported devices operators are required to comply with Part 15 regulations, it's quite possible that many will, due to ignorance, operate using the regulatory domain of the device's origin country. Given that there is now a competitive advantage for foreign marketed devices, has the FCC considered the harm to other spectrum users from an increase in usage of imported devices? How does that harm compare to the harm that the FCC is attempting to prevent by preventing modification to software controlling RF parameters?